Skip to main content

AG Nessel Joins Bipartisan Coalition Urging the FTC to Account for Consumer Risks of Online Surveillance

LANSING – Michigan Attorney General Dana Nessel joined a bipartisan group of 33 attorneys general in calling on the Federal Trade Commission (FTC) to consider the consumer harms caused by the prevalence of commercial surveillance and data security practices when creating new rules to prevent misconduct and promote transparency and accountability around online data collection.  

In the comment letter, filed in response to the FTC’s Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security, the attorneys general urge the FTC to acknowledge the heightened sensitivity around consumers’ medical data, biometric data, and location data, along with the dangers that arise from data brokers and the surveillance of consumers. The coalition also asked that the FTC consider data minimization, which limits the amount of data collected by businesses to only what is required for a specific purpose, to help mitigate concerns surrounding data aggregation.  

"The crumbs that we leave behind on apps, websites, and databases can be tracked, gathered, and misused for identity theft and for profit in the commercial surveillance economy," Nessel said. "Much of the data being amassed is more than consumers know they are providing, and more than companies can effectively manage. Just as we indicated in the consumer alert recently released by my office, the fine print in the user agreements for some apps and programs give companies the right to sell personal information and make it available to advertisers, or whoever wants to pay for it. I gladly stand with my colleagues in supporting the FTC's efforts to regulate economic surveillance and minimize the threat it poses to consumer privacy."

Location Data

According to the letter, many consumers are not even aware that their location information is being collected, and when a consumer wishes to disable location sharing, their options are quite limited. The attorneys general recognize the sensitive nature of this information, which can reveal intimate details of daily life—such as where they live and work, their shopping habits, their daily schedule, or whether they visited the doctor or pharmacy. Laws passed in states like California, Connecticut, and Virginia that restrict the use and collection of location data can provide a framework to inform the FTC through the rulemaking process. 

Biometric Data

The coalition urges the FTC to consider the risks of commercial surveillance practices that use or facilitate the use of facial recognition, fingerprinting, or other biometric technologies. Many consumers provide this information to companies for security purposes or to learn about their ancestry, but consumers are not always made aware of when their data is collected, how it is used, or if it is resold for purposes to which they never meaningfully consented. 

Medical Data 

The FTC should also consider the risks of practices that use medical data, regardless of whether the data is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule. Medical data not necessarily covered by HIPAA is referred to as “health adjacent data,” which can be collected by many devices—for instance, smartwatches, heart monitors, sleep monitors, and health or wellness phone applications. The letter also highlights medical information risks through examples such as the storage of health-related internet searches, or appointment scheduling information being passed to others through online tracker tools.  

Data Brokers 

The attorneys general reiterated to the FTC the persistent dangers of data brokers. Data brokers profile consumers by scouring social media profiles, internet browsing history, purchase history, credit card information, and government records like driver’s licenses, census data, birth certificates, marriage licenses, and voter registration information. Data brokers also use this information to create profiles of certain consumers—which can be purchased by almost anyone—based on susceptibility to certain advertising or likelihood to buy certain products. This scale of aggregation of anonymously gathered information can identify consumers and put them at risk for scams, unwanted and persistent advertising, identity theft and loss of trust in the websites they visit. 

Data Minimization 

The attorneys general say that it is vital that the FTC consider data minimization requirements and limitations. With respect to data collection and retention, the letter encourages the FTC to examine the approach taken in the California, Colorado, Connecticut, Utah and Virginia consumer privacy laws, which mandate that businesses tie and limit the collection of personal data to what is “reasonably necessary” in relation to specified purposes. Limiting the collection and retention of data by businesses will improve consumer data security as businesses will have less data to protect and less data potentially available to bad actors.  

The letter was co-led by Connecticut Attorney General William Tong, Illinois Attorney General Kwame Raoul, Massachusetts Attorney General Maura Healey, New Jersey Attorney General Matthew Platkin, North Carolina Attorney General Josh Stein, and Oregon Attorney General Ellen Rosenblum, and joined by the attorneys general of Arizona, Colorado, Delaware, Washington D.C., Hawaii, Idaho, Indiana, Iowa, Maine, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Mexico, New York, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Vermont, Washington, and Wisconsin. 

###